Service user privacy notice – General Data Protection Regulation (GDPR)
Easy read – Service user privacy notice – General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
The purpose of this notice is to inform you of the type of information that Wirral Community Health and Care NHS Foundation Trust (WCHC) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.
Data Controller
WCHC are registered as a Data Controller with the Information Commissioner’s Office (ICO) and are committed to protecting the rights of individuals in line with the General Data Protection Regulation (GDPR) 2016.
Address:
Wirral Community Health and Care NHS Foundation Trust
Derby Road
Birkenhead,
Wirral
CH42 0LQ
Telephone: 0151 514 2888
Data Protection Officer
WCHC’s Data Protection Officer can be contacted through [email protected]
What information is collected about me?
The trust collects a combination of personal and special category information that includes:
- basic details, such as your name, address, telephone numbers, date of birth
- details relating to your next of kin
- contacts we have had with you, such as appointments and home visits
- details and records of treatment and care, including notes and reports about your health/care needs
- images for example photograph, x-rays, scans
- test results eg Point of Care Testing
- financial information relevant to your care and support requirements
- visual images eg, CCTV images are used as part of the building security
- responses to surveys
- information relating to complaints and concerns
- racial and ethnic origin
- offences (including alleged offences), criminal proceedings, outcomes and sentences
- religion or similar beliefs
- physical or mental health details
- sexual orientation
- phone recordings – you will be informed if a phone call is being recorded
We have no right to ask you about information that is not relevant to your care.
Why is information collected about me?
The health and social care professionals caring for you keep records about your health and any treatment or care you receive. This information is either written down or stored electronically.
These records are then used to guide and manage the care you receive. This is to ensure that:
- those involved in your care have accurate and up-to-date information to assess your needs
- we can assess the quality of care you have received
- we can offer you or your next of kin identified care or support
- if you need to complain about the care you receive, your concerns or complaints can be properly investigated
To help the NHS
Information is also used to help support the future development of the NHS, ensuring the services provided to our patients/service users is always improving. Some areas where we may process partly/fully anonymised data include:
- analysis of statistical data to review NHS performance and key performance indicators
- to aid the completion of audits across our NHS services
- to review and monitor how we spend public money
- to help plan and develop strategic direction for the future delivery of our NHS service
- to teach and train health/social care professionals
- to conduct health/social care research and development
- to maintain our accounts and records and review and monitor how we spend public money
What is the legal basis for processing my information?
The lawful bases for processing personal data are set out in Article 6 of the UK General Data Protection Regulation and Article 9 for the processing of special categories data.
We collect and process your personal data for a variety of purposes as outlined in this Privacy Notice.
In many cases, separate consent is not required and therefore we will rely on another ‘legal basis for processing.’ These include:
Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Health and Care Purposes: the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of working capacity of the employee, medical diagnosis, the provision of health care treatment or the management of health or social care services. Occasionally we may ask you for your consent.
Managing Preferences and Withdrawing Consent
Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in. We will not use pre-ticked boxes or any other method of consent by default.
We will not use pre-ticked boxes or any other method of consent by default. As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.
- we will keep consents separate from other terms and conditions
- be specific and granular, clear and concise
- we will name any third party controllers who will rely on consent as required
- make it easy for people to withdraw consent
We will:
- keep evidence of consent – who, when, how and what individuals were told
- keep consent under review and refresh if and when anything changes
- avoid making consent a precondition of a service
How do we keep your information confidential and safe?
Information is retained in secure electronic and paper records and access is restricted to those who need to know. Access to these records is strictly controlled and fully auditable.
Everyone working for the NHS has a legal duty to keep information about you confidential and secure under Data Protection Legislation, Caldicott Principles and Common Law Duty of Confidentiality.
Our staff are trained to handle your information correctly and protect your privacy.
Who will my information be shared with?
Where lawful and necessary we will share appropriate, relevant and proportionate personal data with the following:
- health care providers, education services, local council and voluntary/third sector organisations who are directly involved in your care.
- organisations that we have contracted or have been contracted by to provide a service. We will only ever share your data if we are satisfied that our partners or suppliers have sufficient measures in place to protect your data in the same way that we do.
- auditors and regulatory bodies such as the Care Quality Commission.
- legal claims and complaints
- none departmental Government bodies, for example, NHS Digital
We are also required by law to report certain information to the appropriate authorities. Occasions when we must pass on information include:
- notification of a new birth
- where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles
- where a formal court order has been issued
- when the Police request information as part of a criminal investigation
Wirral Care Record
Providing health and social care professionals with an overview of your health and social care information in one digital record. Further information can be found here on the NHS Cheshire and Merseyside website.
Cheshire Care Record
A local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record. Further information can be found here: www.cheshirecarerecord.co.uk
Patient Level Information and Costing Systems (PLICS) – NHS Digital has a legal obligation to collect the PLICS data from us and has issued us with a Data Provision Notice (DPN) under section 259(1)(a) of the Health and Social Care Act 2012. This means we have a legal obligation to submit PLICS data to them in accordance with the manner and frequency set out in the DPN. The PLICS data is securely sent to NHS Digital, which is the central organisation that receives the PLICS data from other publicly funded providers of Acute, Mental Health, Improving Access to Psychological Therapies, Ambulance and Community Services across England in relation to Patient Level Information and Costing. NHS Digital combines the data we send with other corresponding data sent by other care providers and removes all identifying details before the data is issued to other organisations. Your data is used to inform new costing methods for NHS services and enables us to receive information back from NHS Digital and NHS Improvement that we can use to maximise our resources and improve efficiencies.
National Data Opt-Out Programme
The Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service important information about you is collected in a record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
WCHC comply with the national data opt-out policy.
External Systems and third party providers – there are areas of work where we use externally provided systems (such as our clinical system) to manage your information for service delivery, monitoring and improvement. We ensure that appropriate controls are in place to mitigate risk and ensure compliance with our requirements.
Please note that if you provide us with your mobile number then we may use this to send you a reminder about your appointment, test results and to ask you for feedback. Please let us know if you do not wish to receive these on your mobile.
Your information is never collected or sold for direct marketing purposes. Your information is not processed overseas.
How long do you keep my information for?
Information is held for specified periods of time as set out in the Information Governance Alliance ‘Records Management Code of Practice for Health and Social Care 2016.’
Your legal rights?
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
- Request access to your personal data (commonly known as a ‘subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us and any changes will be at the discretion of the health professional/social worker involved in your care.
Any request for access to records should be forwarded on to:
General Office
Victoria Central Health Centre
Mill Lane, Wallasey
Wirral CH44 5UF
Telephone: 0151 604 7592
Email: [email protected]
Wirral Community Health and Care NHS Foundation Trust
Request erasure of your personal data
This enables you to ask us to delete or remove personal data where there is no good reason for us continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you therefore, this right is unlikely to apply to the information held by the trust.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above or have any concerns about your information, please contact our Data Protection Officer:
Email: [email protected]
Tel: 0151 514 2202
If you are still unhappy with the outcome of your enquiry you can write to:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 01625 545700
We are committed to making our publications as accessible as possible. If you need this document in an alternative format, for example, large print, Braille or a language other than English, please speak to the Health Care Professional involved with your care.